CVE-2026-35476

InvenTree is an Open Source Inventory Management System. Prior to 1.2.7 and 1.3.0, a non-staff authenticated user can elevate their account to a staff level via a POST request against their user account endpoint. The write permissions on the API endpoint are improperly configured, allowing any us...

CVE-2026-42881

STIGQter is an open-source reimplementation of DISA's STIG Viewer. From 0.1.2 to before 1.2.7, an attacker can achieve local code execution LCE with the privileges of the user running STIGQter. This requires user interaction: the victim must open the malicious .stigqter file and explicitly run th...

EUVD-2026-28934

apko allows users to build and publish OCI container images built from apk packages. Prior to version 1.2.7, DiscoverKeys in pkg/apk/apk/implementation.go unconditionally type-asserts JWKS keys as rsa.PublicKey without checking the key type. If a repository JWKS endpoint returns a non-RSA key e.g...

CVE-2026-42576

CVE-2026-42576 affects chainguard/apko. Before v1.2.7, DiscoverKeys in pkg/apk/apk/implementation.go unconditionally type-asserts JWKS keys as *rsa.PublicKey without key-type checks. If a repository JWKS endpoint returns a non-RSA key (e.g., EC), an unchecked type assertion panics, crashing apko ...

CVE-2026-42576

apko allows users to build and publish OCI container images built from apk packages. Prior to version 1.2.7, DiscoverKeys in pkg/apk/apk/implementation.go unconditionally type-asserts JWKS keys as rsa.PublicKey without checking the key type. If a repository JWKS endpoint returns a non-RSA key e.g...

CVE-2026-42575 apko doesn't verify downloaded apk packages against APKINDEX checksum (package substitution possible)

apko allows users to build and publish OCI container images built from apk packages. Prior to version 1.2.7, apko verifies the signature on APKINDEX.tar.gz but never compares individually downloaded .apk packages against the checksum recorded in the signed index. The checksum is parsed and...

EUVD-2026-28933

apko allows users to build and publish OCI container images built from apk packages. Prior to version 1.2.7, apko verifies the signature on APKINDEX.tar.gz but never compares individually downloaded .apk packages against the checksum recorded in the signed index. The checksum is parsed and...

CVE-2026-42575

CVE-2026-42575 affects chainguard/apko: before v1.2.7, apko verifies APKINDEX.signed index but does not compare individually downloaded .apk checksums to the index checksum. The ChecksumString() is parsed but never cross-checked with the downloaded package’s control hash in getPackageImpl(), allo...

apko 代码问题漏洞

Apko is an open-source OCI image builder based on APK. Versions of Apko prior to 1.2.7 had code vulnerabilities. These vulnerabilities stemmed from DiscoverKeys’ unconditional assertion of JWKS key types as rsa.PublicKey without checking the key type. This could lead to panic and crashes due to...

CVE-2026-6672

The CVE concerns the WordPress plugin SliceWP Affiliates (Affiliate Program Suite). A Stored Cross‑Site Scripting (Stored XSS) vulnerability exists in all versions up to 1.2.7 due to insufficient input sanitization and output escaping in the slicewp_affiliate_url shortcode attributes. Exploitatio...

CVE-2026-6672 Affiliate Program Suite <= 1.2.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via slicewp_affiliate_url Shortcode

The Affiliate Program Suite — SliceWP Affiliates plugin for WordPress is vulnerable to Stored Cross-Site Scripting via shortcode attributes in all versions up to, and including, 1.2.7. This is due to insufficient input sanitization and output escaping on user-supplied attributes in the...

CVE-2026-6672 Affiliate Program Suite <= 1.2.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via slicewp_affiliate_url Shortcode

The Affiliate Program Suite — SliceWP Affiliates plugin for WordPress is vulnerable to Stored Cross-Site Scripting via shortcode attributes in all versions up to, and including, 1.2.7. This is due to insufficient input sanitization and output escaping on user-supplied attributes in the...

WordPress Affiliate Program Suite — SliceWP Affiliates plugin <= 1.2.7 - Authenticated (Contributor+) Stored Cross-Site Scripting vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting vulnerability discovered by Muhammad Yudha - DJ in WordPress Plugin SliceWP versions = 1.2.7...

WordPress Forumax – AI Powered Advanced Community Forum Plugin plugin <= 1.2.7 - Unauthenticated Reflected Cross-Site Scripting vulnerability

Unauthenticated Reflected Cross-Site Scripting vulnerability discovered by Asaf Mozes in WordPress Plugin BBP Core versions = 1.2.7...

EUVD-2026-23916

Insecure Permissions vulnerability in DeepCool DeepCreative v.1.2.7 and before allows a local attacker to execute arbitrary code via a crafted file...

DeepCool DeepCreative 安全漏洞

DeepCool DeepCreative is a creative design and control software platform for the hardware ecosystem developed by DeepCool Corporation in China. Versions of DeepCool DeepCreative prior to 1.2.7 contained security vulnerabilities. These vulnerabilities were caused by improper permission settings,...

CVE-2026-30266

Insecure Permissions vulnerability in DeepCool DeepCreative v.1.2.7 and before allows a local attacker to execute arbitrary code via a crafted file...

CVE-2026-30266

Insecure Permissions vulnerability in DeepCool DeepCreative v.1.2.12 and before allows a local attacker to execute arbitrary code via a crafted file...

CVE-2026-35479

InvenTree is an Open Source Inventory Management System. Prior to 1.2.7 and 1.3.0, any users who have staff access permissions can install plugins via the API, without requiring "superuser" account access. This level of permission requirement is out of alignment with other plugin actions such as...

CVE-2026-35478

InvenTree is an Open Source Inventory Management System. From 0.16.0 to before 1.2.7, any authenticated InvenTree user can create a valid API token attributed to any other user in the system — including administrators and superusers — by supplying the target's user ID in the user field of a POST...